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Abstract. We introduce Parametric Linear Dynamic Logic (PLDL), 
which extends Linear Dynamic Logic (LDL) by adding temporal oper¬ 
ators equipped with parameters that bound their scope. LDL itself was 
proposed as an extension of Linear Temporal Logic (LTL) that is able to 
express all tu-regular specifications while still maintaining many of LTL’s 
desirable properties like intuitive syntax and semantics and a transla¬ 
tion into non-deterministic Biichi automata of exponential size. However, 
LDL lacks capabilities to express timing constraints. By adding param¬ 
eterized operators to LDL, we obtain a logic which is able to express 
all tu-regular properties and which subsumes parameterized extensions 
of LTL like Parametric LTL and PROMPT-LTL. 

Our main technical contribution is a translation of PLDL formulas into 
non-deterministic Biichi automata of exponential size via alternating 
automata. This yields polynomial space algorithms for model checking 
and assume-guarantee model checking and a realizability algorithm with 
doubly-exponential running time. All three problems are also shown to be 
complete for these complexity classes. Moreover, we give tight upper and 
lower bounds on optimal parameter values for model checking and realiz¬ 
ability. Using these bounds, we present a polynomial space procedure for 
model checking optimization and an algorithm with triply-exponential 
running time for realizability optimization. Our results show that PLDL 
model checking, assume-guarantee model checking, and realizability are 
no harder than their respective (parametric) LTL counterparts. 


1 Introduction 

Linear Temporal Logic (LTL) [12] is a popular specification language for the 
verification and synthesis of reactive systems and provides semantic foundations 
for industrial logics like PSL [Sj. LTL has a number of desirable properties con¬ 
tributing to its ongoing popularity: it does not rely on the use of variables, it 
has an intuitive syntax and semantics and thus gives a way for practitioners to 
write declarative and concise specifications. Furthermore, it is expressively equiv¬ 
alent to first-order logic over the natural numbers with successor and order m 
and enjoys an exponential compilation property: one can efficiently construct a 

* A preliminary version of this work appeared in GandALF 2014. The research leading 
to this work was partially supported by the projects “TriGS” (ZI 1516/1-1) and 
“AVACS” (SFB/TR 14) of the German Research Foundation (DFG). 



language-equivalent non-deterministic Biichi automaton of exponential size in 
the size of the specification. The exponential compilation property yields a poly¬ 
nomial space model checking algorithm and a doubly-exponential time algorithm 
for realizability. Both problems are complete for the respective classes. 

Model checking of properties described in LTL or its practical descendants is 
routinely applied in industrial-sized applications, especially for hardware systems 
m- Due to its complexity, realizability has not reached industrial acceptance 
(yet). First approaches relied on determinization of ca-automata, which is notori¬ 
ously hard to implement efficiently [24] . More recent algorithms for realizability 
follow a safraless construction fgp . which avoids explicitly constructing the de¬ 
terministic automaton, and show promise on small examples. 

Despite the desirable properties, two drawbacks of LTL remain and are tack¬ 
led by different approaches in the literature: first, LTL is not able to express all 
w-regular properties. For example, the property “p holds on every even step” 
(but may or may not hold on odd steps) is not expressible in LTL, but is easily 
expressible by an w-regular expression. This drawback is a serious one, since 
the combination of regular properties and linear-time operators is common in 
hardware verification languages to express modular verification properties, as in 
ForSpec [2]. Several extensions of LTL with regular expressions, finite automata, 
or grammar operators [ 13 ?,?] have been proposed as a remedy. 

A second drawback of classic temporal logics like LTL is the inability to na¬ 
tively express timing constraints. The standard semantics are unable to enforce 
the fulfillment of eventualities within finite time bounds, e.g., it is impossible to 
require that requests are granted within a fixed, but arbitrary, amount of time. 
While it is possible to unroll an a-priori fixed bound for an eventuality into LTL, 
this requires prior knowledge of the system’s granularity and incurs a blow-up 
when translated to automata, and is thus considered impractical. A more practi¬ 
cal way of fixing this drawback is the purpose of a long line of work in paramet¬ 
ric temporal logics, e.g., parametric LTL (PLTL) [I], PROMPT-LTL m and 
parametric MITL (T^]. These logics feature parameterized temporal operators 
to express time bounds, and either test the existence of a global bound, like 
PROMPT-LTL, or of individual bounds on the parameters, like PLTL. 

Recently, the first drawback was revisited by De Giacomo and Vardi [l?]by 
introducing an extension of LTL called linear dynamic logic (LDL), which is as 
expressive as w-regular languages. The syntax of LDL is inspired by propositional 
dynamic logic (PDL) [TU], but the semantics follow linear-time logics. In PDL 
and LDL, systems are expressed by regular expressions r with tests, and temporal 
requirements are specified by two basic modalities: 

— (r) ip, stating that p should hold at some position where r matches, and 

— [r] p, stating that p should hold at all positions where r matches. 

The operators to build regular expressions from propositional formulas are 
as follows: sequential composition (ri ;r 2 ), non-deterministic choice (ri -|- r 2 ), 
repetition (r*), and test {pi) of a temporal formula. On the level of the temporal 
operators, conjunction and disjunction are allowed. The tests allow to check 


temporal properties within regular expressions, and are used to encode LTL into 
LDL. 

For example, the program “while q do a” with property p holding after 
termination of the loop is expressed in PDL/LDL as follows: 

[(q?;a)* ;^q7]p. 

Intuitively, the loop condition q is tested on every loop entry, the loop body a is 
executed/consumed until -^q holds, and then the post-condition p has to hold. 

A request-response property (every request should eventually be responded 
to) can be formalized as follows: 

[tt*] {req (tt*) resp). 

Both aforementioned drawbacks of LTL, the inability to express all w-regular 
properties and the missing capability to specify timing constraints, have been 
tackled individually in a successful way in previous work, but not at the same 
time. Here, we propose a logic called PLDL that combines the expressivity of 
LDL with the parametricity of PLTL. 

In PLDL, we are for example able to parameterize the eventuality of the 
request-response condition, denoted as 

[tt*] {req (tt*)<^ resp ), 

which states that every request has to be followed by a response within x steps. 

Finally, the aforementioned property that is not expressible in LTL, (“p holds 
on every even step”) can be expressed in PLDL as 

[(tt ;tt)*]p. 

Using the parameterized request-response property as the specification for 
a model checking problem entails determining whether there exists a valuation 
a{x) for X such that all paths of a given system respond to requests within a{x) 
steps. 

If we take the property as a specification for the PLDL realizability problem, 
and define req as input, resp as output, we compute whether there exists a 
winning strategy that adheres to a valuation a{x) and therefore ensures the 
delivery of responses to requests in a timely manner. 

The main result of this paper is the translation of PLDL into alternating 
Biichi automata of linear size. Using these automata and a generalization of the 
alternating color technique of [M], we obtain the following results. 

First, we prove that PLDL model checking is PSPACE-complete by construct¬ 
ing a non-deterministic Biichi automaton of exponential size and using a mod¬ 
ified on-the-fly non-emptiness test to obtain membership in PSpace. PSpace- 
hardness follows from the conversion of LTL to PLDL. Furthermore, we give a 
tight exponential bound on the satisfying valuation for model checking. 

Second, we consider the PLDL assume-guarantee model checking problem 
and show it to be PSPACE-complete as well by extending the techniques used to 
show the similar result for model checking. 


Third, we prove that PLDL realizability is 2ExpTiME-complete. Hardness 
again follows from the ability to express LTL, while membership is proven by 
solving a parity game constructed from a deterministic parity automaton of 
doubly-exponential size. Additionally, we give a tight doubly-exponential bound 
on the satisfying valuation for realizability. 

Thus, the model checking, the assume-guarantee model checking, and the re¬ 
alizability problem are no harder than their corresponding variants for LTL. All 
three solutions to these problems are extensions of the ones for PROMPT-LTL m 
Fourth, we investigate optimization problems for PLDL, i.e., determining the 
optimal valuation for a formula and a system or the tightest guarantee for re¬ 
alizability. While the model checking optimization problem is still solvable in 
polynomial space, we provide a triply-exponential time algorithm for the realiz¬ 
ability optimization problem. This leaves an exponential gap to the decision vari¬ 
ant, as for PLTL m- Both algorithms are based on exhaustive search through 
the bounded solution space induced by the upper bounds mentioned above. 

Our translation into alternating automata is also applicable to LDL on infi¬ 
nite traces, while De Giacomo and Vardi [4] only considered LDL on finite traces. 
Furthermore, our construction differs conceptually, since we present a bottom-up 
procedure, while they gave a top-down construction. 


2 PLDL 

Let V be a set of variables and let us fix a finite set P of atomic propositions 
which we use to build formulas and to label transition systems. For a subset 
A G 2^ and a propositional formula (p over P, we write A ^ 0, if the variable 
valuation mapping elements in A to true and elements not in A to false satisfies 
(j). The formulas of PLDL are given by the grammar 

Lp::=p \^p\ip ^p\ip\/ ip\{r)ip\[r]p\ {r)^^<p \ [r]^^ip 

r::=c/)\ (p7 \r + r \r-r \r* 

where p G P, z G V, and where (p stands for arbitrary propositional formulas 
over P. We use the abbreviations tt — pV ^p and f f = p A -ip for some atomic 
proposition p. The regular expressions have two types of atoms: propositional 
formulas (p over the atomic propositions and tests p?, where p is again a PLDL 
formula. Note that the semantics of the propositional atom (p differ from the 
semantics of the test (p7: the former consumes an input letter, while tests do not. 
This is why both types of atoms are allowed. 

The set of subformulas of p is denoted by cl(p). Regular expressions are 
not subformulas, but the formulas appearing in the tests are, e.g., we have 
cl{{p7 ■q)^^p') = {p,p', (p?;g)< 3 .p'}. The size |p| of p is the sum of |cl(p)| 
and the sum of the lengths of the regular expressions appearing in p (counted 
with multiplicity). 

We define varo(p) = {z G V \ G cl(p)} to be the set of variables 

parameterizing diamond-operators in p, varo(p) = {z G V \ G cl(p)} 


to be the set of variables parameterizing box-operators in tp, and set var((/3) = 
varo(</9)UvarD (ip). Usually, we will denote variables in varo(‘/?) by x and variables 
in varo (ip) by y, if p is clear from the context. A formula p is variable-free, if 
var((/?) = 0. 

The semantics of PLDL is defined inductively with respect tow = W 0 W 1 W 2 ■ ■ ■ G 
a position n G N, and a variable valuation a: V —>■ N via 

— (w,n,a) ^pifpG w„, 

— (w, n, a) \=^piip ^ w„, 

— {w, n, a) 1= 1^0 A Pi if {w, n, a) |= po and {w, n, a) \= pi, 

— {w, n, a) ^ 1^0 V Pi if {w, n, a) ^ po or {w, n, a) \= pi, 

— (w, n, a) ^ (r) p if there exists j G N s.t. (n,n + j) G 7?.(r, w, a) and (w, n + 

j, a) 1= 

— (w, n, a) ^ [r] p if for all j G N with {n,n + j) G TZ{r, w, a) we have (w, n + 

j, a) 1= 

— (w,n,a) \= {r)^^p if there exists 0 < j < a{z) s.t. (n,n -|-j) G TZ{r,w,a) 
and (w, n + j, a) \= p, and 

— (w,n,a) ^ if foi' 0 < j < a(z) with {n,n + j) G TZ{r,w,a) we 

have {w,n + j, a) 1= ‘P- 

The relation 7^(r, w,a) C N x N contains all pairs (m, n) such that Wm • • • Wn-i 
matches r and is defined inductively by 

— TZ{(j), w, a) = {(n, n -I- 1) | Wn ^ 0} for propositional (j), 

— TZ{d?, w, a) = {(n, n) \ (w, n, a) ^ 0}, 

— TZ{rQ + ri,w, a) = TZ{ro,w, a) U TZ{ri,w, a), 

— TZ{ro ',ri,w,a) = {{no,n 2 ) | dm s.t. (no,ni) G TZ{ro,w,a) and ( 711 , 712 ) G 
TZ{ri,w, a)}, and 

— TZ{r*,w,a) = {(77,77) | 77 G N} U {(770,77^+1) | 377 i,..., 77 fc s.t. (77^,77^+1) G 
TZ{r, w, a) for all 0 < j < k}. 

We write {w,a) \= p for {w,0,a) ^ p and say that zc is a model of p with 
respect to a. 

Example 1. 

— The formula Xocp expresses that p holds true infinitely often. 

— In general, every PLTL formula [T] (and thus every LTL formula) can be 

translated into PLDL, e.g., Y<xP is expressible as and plJ q as 

{p*)q or {p*q)tt. 

— The formula [tt*] (reg —> ((tt ; tt)*) resp) requires that every request (a 
position where req holds) is followed by a response (a position where resp 
holds) after an even number of steps. Note that the implication is not part 
of PLDL, but it can (here) be replaced by a disjunction. 

As usual for parameterized temporal logics, the use of variables has to be 
restricted: bounding diamond- and box-operators by the same variable leads to 
an undecidable satisfiability problem (cf. [T]). 


Definition 1. A PLDL formula ip is well-formed, z/varo(</9) n varQ((/j) = 0. 

In the following, we only consider well-formed formulas and drop the qualifier 
“well-formed” whenever possible. 

Note that we define PLDL formulas to be in negation normal form. Never¬ 
theless, we can define the negation of a formula using dualities. 

Lemma 1. For every PLDL formula ip there exists an efficiently constructible 
(not necessarily well-formed) PLDL formula -<ip s.t. 

1. {w, n,a) \= ip if and only if {w, n, a) ^ -<ip, and 

2. \-^ip\ = \ip\. 

Proof. We construct -<ip by structural induction over ip using the dualities of the 
operators: 

- -'(p) =^P - -'(-'P) = P 

- ->((^0 A pi) = (-'Po) V (-'Pi) - -'(po V Pi) = (-'Po) A (-•pi) 

- -,((r)p) = [r]-.p - ^{\r]p) = {r)^p 

- ^((0<X p) = {r]<x p) = {r)<y 

The latter claim of Lemma [I] follows from the definition of -ip while the first 
one can be shown by a straightforward structural induction over p. 

Note that negation does not necessarily preserve well-formedness, e.g., the 
negation of the well-formed formula p^ = [([p]<a;P)?]^^P is (([p]<a:p)?)^.,^, “'Pj 
which is not well-formed. 

We consider the following fragments of PLDL. Let p be a PLDL formula: 

- is an LDL formula [4], if is variable-free, 

- (/? is a PLDLo formula, if varo((/?) = 0, and 

- (/? is a PLDLo formula, if varo(p) = 0 and if -ip is a PLDLo formulcQ- 
Note that this implies that a PLDLo formula cannot have parameterized 
subformulas in a test. 

Every LDL, PLDLo, and PLDLo formula is well-formed by definition. As 
satisfaction of LDL formulas is independent of valuations, we write {w,n) \= p 
and w \= p instead of {w, n,a) \= p and (w, a) ^ p, respectively, if p is an LDL 
formula. 

LDL is as expressive as w-regular languages, which can be proven by a 
straightforward translation of ETL f [29| , which expresses exactly the w-regular 
languages, into LDL, and by a translation of LDL into Biichi automata. 

Theorem 1 ([28]). Let L C (2^)“. The following are effectively equivalent: 

1. L is uj-regular. 

^ The definition of PLDLn in the conference version [7] is slightly too inclusive, because 
it contains the formula p^. This is problematic, as we have to require the negation 
of a PLDLn formula to be a PLDLo formula. 



2. There exists an LDL formula Lp such that L = {w G (2^)‘^ | iw |= tp}. 


A simple, but very useful property of PLDL is the monotonicity of the pa¬ 
rameterized operators: increasing (decreasing) the values of parameters bounding 
diamond-operators (box-operators) preserves satisfaction. 

Lemma 2. Let (p be a PLDL formula and let a and /3 be variable valuations 
satisfying j3{x) > a{x) for every x € varo(v?) and j3{y) < a{y) for every y G 
vara(ip). If {w, a) \= p, then {w,l3) |= (p. 

The previous lemma allows us to eliminate parameterized box-operators when 
asking for the existence of a variable valuation satisfying a formula. 

Lemma 3. For every PLDL formula p there is an efficiently constructible PLDLc> 
formula p' whose size is at most the size of p such that 

1. for every a there is an a' such that for all w: {w, a) \= p implies (w, a') ^ p', 
and 

2. for every /?' there is a l3 such that for all w: {w,j3') |= p' implies (w,j3) \= p. 

Proof For each r, we construct a test r such that TZ{r, w, a) fl {(n, n) | n G N} = 
TZ{r,w,a) for every w and every a. Then, and [f] f/' are equivalent, 

provided we have a{y) = 0, which in combination with monotonicity is sufficient 
to prove our claim. We apply the following rewriting rules (in the given order) 
to r: 

1. Replace every subexpression r'* by tt?, until no longer applicable. 

2. Replace every subexpression <f-,r' or r' ](j) by ff? and replace every subex¬ 
pression 4> + r' 01 r' -\- (j) hy r', where 4> is a propositional formula, until no 
longer applicable. 

3. Replace every subexpression 9oI + 9i2 by {9o V 9i)7 and replace every subex¬ 
pression 9o7 ;9il by {9o A 9i)7, until no longer applicable. 

After step 2, r contains no iterations and no propositional atoms unless the 
expression itself is one. In the former case, applying the last two rules yields a 
regular expression, which is a single test, denoted by f. In the latter case, we 
define f = ff ?. 

Each rewriting step preserves the intersection TZ(r,w,a) H {(n, n) | n G N}. 
As f is a test, we conclude TZ{r,w,a) fl {(n,n) | n G N} = Tl{r,w,a) for every 
w and every a. Note that r can be efficiently computed from r and its size is 
at most the size of r. Now, replace every subformula [r]^ytp of p by [r] xp and 
denote the formula obtained by p', which is a PLDLo formula that is efficiently 
constructible and has the desired size. 

Given an a, we define a' by a'{z) = 0 if z G varo(i^), and a'(z) = a(z) 
otherwise. If {w,a) |= p, then {w,a') ^ p due to monotonicity. By construction 
of p', we also have {w,a') \= p'. On the other hand, if {w,f3') |= p' for some 
/?', then {w,(3) |= p' as well, where /3(z) = 0 , if z G varo((/?), and /3(z) = /3'(z) 
otherwise. By construction of p', we conclude {w,j3) |= p. 



2.1 The Alternating Color Technique and LDLcp 

In this subsection, we repeat the alternating color technique m, which was 
introduced by Kupferman et al. to solve the model checking and the realizability 
problem for PROMPT~LTL, amongst others. Let p ^ P he a fresh proposition 
and define P' = P U {p}. We think of words in (2^ )‘^ as colorings of words in 
(2^)“^, i.e., w' G {2^'Y is a coloring of w S (2-^)“, if we have Wn r\ P = Wn for 
every position n. Furthermore, n is a changepoint, if n = 0 or if the truth value 
of p differs at positions n — 1 and n. A block is a maximal infix that has exactly 
one changepoint, which is at the first position of the infix. By maximality, this 
implies that the first position after a block is a changepoint. Let fc > 1. We say 
that w' is A:-bounded, if every block has length at most fc, which implies that 
w' has infinitely many changepoints. Dually, w' is fc-spaced, if it has infinitely 
many changepoints and every block has length at least fc. 

The alternating color technique replaces every parameterized diamond-oper¬ 
ator (r)^^ iIj by an unparameterized one that requires the formula '0 to be satis¬ 
fied within at most one color change. To this end, we introduce a changepoint- 
bounded variant {■)^^ of the diamond-operator. Since we need the dual opera¬ 
tor to allow for negation via dualization, we introduce it here as well: 

— {w,n,a) ^ {f)cp'4’ if there exists a j G N s.t. (n,n + j) G 7Z(r,w,a), 
Wn-’-Wn+j-i contains at most one changepoint, and (w,n + j,a) ^ 0, 
and 

— (w,n,a) 1= [rjj.p'f/’ if for all j G N with (n,n + J) G 7Z(r,w,a) and where 
Wn ■ ■ ■ Wn+j-i contains at most one changepoint we have (ui, n + j, a) ^ 0. 

We denote the logic obtained by disallowing parameterized operators, but 
allowing changepoint-bounded operators, by LDLcp. Note that the semantics of 
LDLcp formulas are independent of variable valuations. Hence, we drop them 
from our notation for the satisfaction relation |= and the relation TZ. Also, 
Lemma [T] can be extended to LDLcp by adding the rules -i0 

and -'([r]^p 0 ) = -10 to the proof. 

Now, we are ready to introduce the alternating color technique. Given a 
PLDLo formula p, let rel(:/?) be the formula obtained by inductively replacing 
every subformula by (rel(r))^p rel(0), i.e., we replace the parameterized 

diamond-operator by a changepoint-bounded one. Note that this replacement is 
also performed in the regular expressions, i.e., rel(r) is the regular expression 
obtained by applying the replacement to every test 0? in r. 

Given a PLDLo formula p let c[ip) = rel((/5) A Xoop A Xoo^p (cf. Example [T|), 
which is an LDLcp formula and only linearly larger than ip. On fc-bounded and 
fc-spaced colorings of w (for a suitable fc) there is an equivalence between cp and 
c{p). The proof is similar to the original one for PROMPT-LTL [H] . 

Lemma 4 (cf. Lemma 2.1 of |14| L Let p he a PLDLo formula and let w G 
( 2 ^)“. 

1. If {w,a) 1= p, then w' |= c{p) for every k-spaeed eoloring w' of w, where 
fc cnax3.^Yg^j.(o) o(x). 


2. Let k gN. If w' is a k-hounded coloring of w with w' ^ c{ip), then {w,a) ^ 

ip, where a{x) = 2k for every x. 

3 From LDLcp to Alternating Biichi Automata 

In this section, we show how to translate LDLcp formulas into alternating Biichi 
word automata with linearly many states, but possibly with an exponential 
number of transitions, using an inductive bottom-up approach. These automata 
allow us to use automata-based constructions to solve the model checking and 
the realizability problem for PLDL via the alternating color technique which 
links PLDL and LDLcp. Since these problems are shown to be complete for the 
complexity classes PSpace and 2 ExpTime, which allow us to construct the 
automata (on-the-fly), the potentially exponential number of transitions is not 
an issue. 

An alternating Biichi automaton 21 = (Q, E, qq, 6, F) consists of a finite set Q 
of states, an alphabet E, an initial state qo G Q, a, transition function 6: Qx E ^ 
;B+(Q), and a set F C Q of accepting states. Here, B'^{Q) denotes the set of 
positive boolean combinations over Q, which contains in particular the formulas 
tt (true) and ff (false). 

A run of 21 on w = woWiW 2 ■ • ■ € E‘^ is a directed graph p = {V, E) where 
P C <5 X N and [[q, n), (q', n')) G E implies n' = n+1 such that the following two 
conditions are satisfied: (go, 0) G P and for all (g, n) G P: SucCp(g, n) ^ 5{q, Wn)- 
Here SucCp(g,n) denotes the set of successors of (g,n) in p projected to Q. A 
run p is accepting if all infinite paths (projected to Q) through p visit F infinitely 
often. The language L(2l) contains all w G that have an accepting run of 21. 

Theorem 2. For every LDLcp formula ip, there is an alternating Biichi automa¬ 
ton 2l,p with linearly many states (in \p\) and L(2l,p) = {w G (2^ | ic |= p}. 

To prove the theorem, we inductively construct automata 21^ for every sub¬ 
formula ^ G cl(:^) satisfying L(2l^) = {w G (2^ | ^ ^ ^}. 

The automata for atomic formulas are straightforward and depicted in Fig¬ 
ures [Ua) and (b). To improve readability, we allow propositional formulas over 
P' as transition labels: a formula (p stands for all sets A G 2^ with A\= (p. 

Furthermore, given automata 2l,/,p and 21^^, using a standard construction, 
we can build the automaton 2l^gVi/,i by taking the disjoint union of the two 
automata, adding a new initial state go with (5(go,A) = 5°(gQ, A) V (5^(gQ, A). 
Here, gj is the initial state and <5* is the transition function of 21^^. The automa¬ 
ton 21 ^oAi/>i is defined similarly, the only difference being 6{qo,A) = (5°(gQ, A) A 
6~^iq^,A). 

It remains to consider temporal formulas, e.g., (r) ip. First, we turn the reg¬ 
ular expression r into an automaton 21^. Recall that tests do not process input 
letters. Hence, we disregard the tests when defining the transition function, but 
we label states at which the test has to be executed, by this test. We adapt the 
Thompson construction m to turn r into 2lr., i.e., we obtain an e-NFA. Then, we 
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Fig. 1. The automata 2lp (a), 2l-,p (b), and 2lcp (c), which tracks changepoints. 


show how to combine with the automaton 21^ and the automata ,..., , 

where 0i?,... ,0^? are the tests occurring in r. The e-transitions introduced by 
the Thompson construction are removed during the construction, since alter¬ 
nating automata do not allow them. During this construction, we also ensure 
that the transition relation takes tests into account by introducing universal 
transitions that lead from a state marked with 9jl into the corresponding au¬ 
tomaton . 

An e-NFA with markings 21 = {Q, E,qQ,6,C,m) consists of a finite set Q 
of states, an alphabet A, an initial state qo € Q, a, transition function S: Q x 
E U {e} —>■ 2*^, a set C of final states {C, since we use them to concatenate 
automata), and a partial marking function m, which assigns to some states q G Q 
an LDLcp formula m{q). We write q q', if q' € S{q,a) for a € A U {e}. An 
e-path TT from q to q' in 21 is a sequence tt = qi ■ ■ ■ qk oi k > 1 states with 
q = qi ^ ^ qk = q' ■ The set of all e-paths from q to q' is denoted by 11 {q, q') 

and m( 7 r) = {m{qi) | 1 < f < fc} is the set of markings visited by tt. 

A run of 21 on rco • • • Wn-i S A* is a sequence q^qi • ■ • qn of states such that 
for every i in the range 0 < f < n — 1 there is a state g' reachable from qi 
via an e-path tt^ and with € 5{q'i^Wi). The run is accepting if there is a 
q'^ £ C reachable from (/„ via an e-path 7r„. This slightly unusual definition 
(but equivalent to the standard one) simplifies our reasoning below. Also, the 
definition is oblivious to the marking. 

We begin by defining the automaton 2lp by induction over the structure of r 
as depicted in Figure [2] Note that the automata we construct have no outgoing 
edges leaving the unique final state and that we mark some states with tests 6j? 
(denoted by labeling states with the test). 

Lemma 5. Let w = woWiW 2 ■ ■ ■ € (2^ )‘^ and let wq ■ ■ ■ Wn-i be a (possibly 
empty, if n = 0) prefix of w. The following two statements are equivalent: 

1. 2tp has an accepting run on wq ■ ■ ■ w„-i with e-paths ttq, ... ,TTn such that 

WiWi+iWi +2 ••'HA for every i in the range 0 < i < n . 

2. (0, n) G 7^(r, w). 

Fix if and r (with tests di?,...,0fe?) and let 21^ = (Q*", 2^', Qq, d’’, C’’, m), 
21^ = {Q',2^' ,q'Q,S',F'), and 216^. = ,2^' ,ql,d^, F^) for j = l,...,fc be 







Fig. 2. The inductive definition of 2lr via the Thompson construction. 


the corresponding automata, which we assume to have pairwise disjoint sets of 
states. Next, we show how to construct Vo ^[r]„pV'- 

We begin with (r) if) and define 


= (g’'UQ'uglu•••UQ^2^',(75,(j,F'UFlu•••UF'=) 


with 

6'{q,A) iiq€Q', 

6^{q,A) iiq€Q^, 

%,^) = <! V, '6Q’'\C’' y■!T(^n{q,q') yp(^S^{q',A)iP ^ Noj Gm(7r) 5yqlA)) 

V if g € Q'^. 

yj q'^C^ 7Z^n{q,q') {5'{q',,A)A/\, 

j £m(7r) Syqi,A)) 


So, ^ is the union of the automata for the regular expression, the tests, and 
for Ip with a modified transition function. The transitions of the automata 21^ and 
2 le^. are left unchanged and the transition function for states in g'’ is obtained by 
removing e-transitions. First consider the upper disjunct: it ranges disjunctively 
over all states p that are reachable via an initial e-path and an A-transition 
in the end. To account for the tests visited during the e-path (but not the 
test at p), we conjunctively add transitions that lead into the corresponding 
automata. The lower disjunct is similar, but ranges over e-paths that end in a 
final state, which requires the A to be processed in 21^. Since we concatenate 
the automaton 21^ with the automaton 21^, all edges leading into final states 
of 2tr are rerouted to the successors of the initial state of 21^- The tests along 
the e-paths are accounted for as in the first case. Finally, note that Q'" does 
not contain any (Biichi) accepting states, i.e., every accepting run on w has to 














leave Q'" after a finite number of transitions. Since this requires transitions that 
would lead 21,. into a final state, we ensure the existence of a position n such 
that (0,n) &lZ{r,w). 

The definition of is dual, which requires us to consider the negation 

of the tests: let 2-^', for j = 1 ,..., fc be automata for the 

negation of the tests 9i ?,..., 0^? appearing in r. Recall that -^9j always refers to 
the formula obtained by propagating the negation according to Lemma [U and 
thus the automata for the negated tests can be obtained without using automata 
complementation. Furthermore, to construct we remove e-paths of 21^ in 

a universal manner to account for the fact that the box-operator quantifies over 
all matches with r. 

Formally, we define 

2t[,] ^ = (Q" U Q' U U ■ • ■ U 2^' , (Z5,5, Q" U F' U U ■ • ■ U 


where 


'S'{q,A) iiq€Q', 

S^{q,A) iiqeQ^, 

Aq'eQ^\C'-/\-Ken{q,q')/\peS^(q',A)(P'^y9jGm{Tr)^^i9o,A)) 

A if q e Q’’. 

.Aq'eC^ ATren(q,q')i^'i90J A) V \J0.(zm(TT) ^AO-i^A)) 


Note that we add Q'' to the (Biichi) accepting states, since a path of a run on 
w might stay in forever, as it has to consider all n with (0, n) S F(r, w). 

For the changepoint-bounded operators, we have to modify 21^ to make it 
count color changes. Let 2tcp = ,2^' ,q'^,6 ^^be the DFA depicted in 

Figure djc). We define the product of 21^ and 2lcp as 


where 

- g" = Q" X 

- 9p = (<?5,9 o^), 

- 5'^{{q,q'),A) = {(p,(5°P(q', A)) I p e 5'^{q,A)} if A ^ e, and A{{q,q'),e) = 

{{p,q') I p e S^iq,A)}, 

- = C^ X C‘^P, and 

- m{q,q') = m{q). 

Using this, we define 21^^.^^^ as we defined 21^^)^, but using 2tr instead of 21^. 

Similarly, 2t[^] ^ is defined as 2l[j.] but using 5^^. instead of 21^., which restricts 
the matches with r recognized by 21^ to those that are within at most one 
changepoint. 

It remains to prove that the construction is correct. 




Proof (Proof of Theorem\^. First, we determine the size of 21,^. Boolean opera¬ 
tions add one state while a temporal operator with regular expression r adds a 
number of states that is linear in the size of r (which is its length), even when we 
take the intersection with the automaton checking for color changes. Note that 
we do not need to complement the automata to obtain the , instead we 
rely on Lemma [TJ Hence, the size of 21,^ is linear in the size of ip. 

Thus, it remains to prove that 21,^ recognizes the models of (p. We proceed by 
induction over the structure of ip. The induction starts for atomic formulas and 
the induction steps for disjunction and conjunction are trivial, hence it suffices 
to consider the temporal operators. 

First, consider a subformula of the form (r) if. li w ^ (r) tf, then there 
exists a position n such that WnWn+iWn +2 ■ ■ ■ \= ip and (0, n) e 7?.(r, w). Hence, 
due to Lemma O there is an accepting run of 21 ,. on wq ■■ ■ Wn-i such that the 
tests visited during the run are satisfied by the appropriate suffixes of w. Thus, 
applying the induction hypothesis yields accepting runs of the test automata 
on these suffixes. Also, there is an accepting run of 21^ on WnWn+iWn +2 ■ ■ ■, 
again by induction hypothesis. These runs can be “glued” together to obtain an 
accepting run of 21^^)^ on w. 

For the other direction, let p be an accepting run of 21^,.) ^ on w. Let n > 0 be 
the last level of p that contains a state from Q”. Such a level has to exist since 
states in are not accepting and they have no incoming edges from states of 
the automata 21^ and 21^^ (the 9j are the tests in r), but the initial state of 21^^.) ^ 
is in Q”. Furthermore, 21^^^^ is non-deterministic when restricted to states in 
. Hence, we can extract an accepting run of 21^ from p on u>o ■ • ■ Wn-i that 
additionally satisfies the requirements formulated in Statement 1 of Lemma [3 
due to the transitions into the test automata and applications of the induction 
hypothesis. Hence, we have (0, n) G 7^(r, w). Also, from the remainder of p (levels 
greater or equal to n) we can extract an accepting run of 2tp on WnWn+iWn +2 ■ • • • 
Hence, WnWn+iWn +2 ■ ■ ■ H '0 by induction hypothesis. So, we conclude w ^ 
{r)ip. 

The case for [r]ip is dual to the one for (r) ip, while the cases for the change- 
point-bounded operators {r)^pip and [r],.pip are analogous, using the fact that 
2lcp accepts words which have at most one changepoint. 


The number of states of 21,^ is linear in |(p|, but it is not clear that 21^ can 
be computed in polynomial time in \ip\, since, e.g., the transition functions of 
sub-automata of the form 21^,.^ p contain disjunctions that range over the set 
of e-paths. Here, it suffices to consider simple paths, but even this restriction 
still allows for an exponential number of different paths. Fortunately, we do not 
need to compute 21,^ in polynomial time. It suffices to construct it on-the-fly 
in polynomial space, as this is sufficient for our applications, which is clearly 
possible. 

Furthermore, using standard constructions (e.g., [M?]), we can turn the 
alternating Biichi automaton 21,^ into a non-deterministic Biichi automaton of 


exponential size and a deterministic parity automatord of doubly-exponential 
size with exponentially many colors. 

Finally, the automata we construct are weak |18j . i.e., every strongly con¬ 
nected component either has only accepting or only non-accepting states, which 
allows for improved translations into non-deterministic automata: the automata 
for the atomic formulas are weak and taking the union or intersection of two 
weak automata preserves weakness. Thus, consider the automata constructed 
for the temporal operators: the states of the automaton for r are either all ac¬ 
cepting or all rejecting, and once this set of states is left to some automaton 
checking a subformula, it is never reentered. Hence, as these sub-automata are 
weak, the whole automaton is weak as well. However, our automata are not very 
weak [221?] (also known as linear), i.e., the automaton only has self-loops, but no 
non-trivial cycles, as the automata checking matches with r might have cycles 
of arbitrary length. 


4 Model Checking 

In this section, we consider the PLDL model checking problem. A (P-labeled) 
transition system S = {S, sq, E,i) consists of a finite set S of states, an initial 
state So, a left-total edge relation E C SxS, and a labeling £: S ^ 2^. An initial 
path through 5 is a sequence tt = S0S1S2 • ■ • of states satisfying (s„, Sn+i) S E 
for every n. Its trace is dehned as tr(7r) = £{so)i{si)£{s 2 ) ■ ■ ■ ■ We say that S 
satisfies a PLDL formula tp with respect to a variable valuation a, if we have 
(tr(7r),Q;) |= ip for every initial path tt of S. The model checking problem asks, 
given a transition system S and a formula ip, to determine whether there exists 
a variable valuation a for which S satisfies p. 

Theorem 3. The PLDL model checking problem is PSPACE-comp/ete. 

To solve the PLDL model checking problem, we first notice that we can 
restrict ourselves to PLDLo formulas. Let p and p' be defined as in Lemma |3l 
Then, S satishes p with respect to some a if and only if S satisfies p' with 
respect to some a'. 

Our algorithm is similar to the one presented for PROMPT-LTL in m 
and uses the alternating color technique. Recall that p ^ P is the fresh atomic 
proposition used to specify the coloring and induces the blocks, maximal infixes 
with its unique changepoint at the first position. Let G = {V,E,vo,£,F) denote 
a colored Biichi graph consisting of a finite directed graph {V,E), an initial 
vertex vq, a coloring function £: V ^ 2^p^ labeling vertices by p or not, and a set 
E CV of accepting vertices. A path V 0 V 1 V 2 • ■ • through G is pumpable, if all its 
blocks have at least one vertex that appears twice in this block. Furthermore, the 
path is fair, if it visits E inhnitely often. The pumpable non-emptiness problem 

^ The states of a parity automaton are colored by D: Q —>■ N. It accepts a word w, 
if it has a run qoqiq 2 • • • on to such that msLx{Q{q) \ qi = q for infinitely many i} is 


even. 



asks, given a colored Biichi graph G, whether it has a pumpable fair path starting 
in the initial vertex. 

Theorem 4 (mi)- The pumpable non-emptiness problem for colored Biichi 
graphs is NLOGSPACE-complete. 

The following lemma reduces the PLDLo model checking problem to the 
pumpable non-emptiness problem for colored Biichi graphs of exponential size. 
Given a non-deterministic Biichi automaton 21 = {Q, 2^ ,qo, 6, F) recognizing the 
models of -'rel((p) A Xoop A Xoo^p (note that rel((/3) is negated) and a transition 
system S = {S, sq, E, £), define the product 21 x <S to be the colored Biichi graph 

21x5 = (QxS'x 2^p\e', (go, sq, 0), e',ExSx 
where 

— ((g, s, C), (g'j s', C')) G E' if and only if (s, s') G E and g' G <5(g, €(s) U C), 

and 

- e'{q,s,C)=C. 

Each initial path (go, sq, C’o)(gi, si, Ci)(g 2 , S 2 , (72) • ■ • through 21 x 5 induces 
a coloring (£(so)U(7o)(t'(si)U(7i)(^(s2)U(72) ■ • • of the trace of the path soSiS 2 • • • 
through S. Furthermore, gogig 2 ■ • ■ is a run of 21 on the coloring. 

Lemma 6 (cf. Theorem 4.2 of |14| L S does not satisfy ip with respect to any 
a if and only i/ 21 x 5 has a pumpable fair path. 

Proof Let ip not be satisfied by S with respect to any o, i.e., for every a there 
exists an initial path tt through S such that (tr(7r),a) ^ p. Pick a* such that 
a*{z) = 2- IQI ■ |5| -1-2 for every z and let n* be the corresponding path. Applying 
Item Oof Lemma O yields w ^ c{p) for every |(5| • |5| -I- 1-bounded coloring w of 
tr(7r*). Now, consider the unique |(3| • |5| -I- 1-bounded and |(5| ■ |5| -I- 1-spaced 
coloring w of tr(7r*) that starts with p not holding true in the first position. As 
argued above, w ^ c{p), and we have w \= XoopAXoo-.p, as w is bounded. Hence, 
w \= -'rel(y)) A Xoop A Xoo^p, i-e., there is an accepting run gogig 2 • ■ • of 21 in w. 
This suffices to show that (go, ttq, wq 0 {p})(gi, tt*, wi H {p})(g 2 , W 2 H {p}) • • ■ 
is a pumpable fair path through 21 x 5, since every block has length \Q\ ■ 151 -I- 1. 
This implies the existence of a repeated vertex in every block, since there are 
exactly \Q\ ■ |5| vertices of each color. 

We now consider the other direction. Thus, assume 21x5 contains a pumpable 
fair path (go, so, (7o)('Zi, si, (7i)(g2, S 2 , (72) • • •, fix some arbitrary a, and define 
k = max 2 .gvaro((p) o:{x). There is a repetition of a vertex of 21 x 5 in every block, 
each of which can be pumped k times. This path is still fair and induces a 
coloring w'f. of a trace Wk of an initial path of 5. Since the run encoded in the 
first components is an accepting one on w'f., we conclude that the coloring w'f. 
satisfies -'rel(p). Furthermore, is A:-spaced, since we pumped each repetition 
k times. 

Towards a contradiction assume we have {wk,a) |= p. Applying Item [1] of 
Lemma m yields w'f. ^ c{p), which contradicts u>(. ^ -'rel((/?). Hence, for every a 


we have constructed a path of <S whose trace does not satisfy with respect to 
a, i.e., S does not satisfy ip with respect to any a. 

We can deduce an upper bound on valuations that satisfy a formula in a 
given transition system. 

Corollary 1. If there is a valuation such that S satisfies a PLDLc, formula p, 
then there is also one that is bounded exponentially in \p\ and linearly in |<S|. 

Proof. Let S satisfy p with respect to a, but not with the valuation a* with 
a*{x) = 2-|(3|-|5'|+2 forallx. In the preceding proof, we constructed a pumpable 
fair path in 21x5 starting from this assumption. This contradicts LemmalHl since 
S satisfying p with respect to a is equivalent to 21 x 5 not having a pumpable 
fair path. Since 2 ■ \Q\ ■ 151 + 2 is exponential in \p\ and linear in |5|, the result 
follows. 

A matching lower bound of 2" can be proven by implementing a binary 
counter with n bits using a formula of polynomial size in n. This already holds 
true for PROMPT-LTL, as noted in [H] . 

Now, we are able to prove the main result of this section: PLDL model 
checking is PSPACE-complete. 

Proof (Proof of Theorem\^. PSPACE-hardness follows directly from the PSpace- 
hardness of the LTL model checking problem [^, as LTL is a fragment of PLDL. 

The following is a polynomial space algorithm, which is correct due to LemmalHl 
construct 21 x 5 on-the-fly and check whether it contains a pumpable fair path. 
Since the search for such a path can be implemented on-the-fly without having 
to construct the full product [14], it can be implemented using polynomial space. 

To conclude, we prove the dual of Corollary [T] for PLDLq formulas, which 
will be useful when we consider the model checking optimization problem. 

Lemma 7. Let p be a PLDLu formula and let S be a transition system. There 
is a variable valuation a* that is bounded exponentially in \p\ and linearly in |5| 
such that if S satisfies p with respect to a *, then S satisfies p with respect to 
every valuation. 

Proof. We begin by defining a*: let 21 be a Biichi automaton recognizing the 
models of c(-ip), which is of exponential size in |(/3|. Define fc* = 4 ■ |2l| • |5| -I- 2 
and let a* be the variable valuation mapping every variable to k*. Now, we 
consider the contrapositive and show: if there is an a such that S does not 
satisfy p with respect to a, then S does not satisfy p with respect to a*. 

Thus, assume there is an a and a path tt such that (tr(7r),a) |= -<p. Note 
that ^p is a PLDLo-formula. Due to monotonicity, we can assume w.l.o.g. that 
a maps all variables to the same value, call it k. 

We denote by tr(7r)' the unique fc-bounded and fc-spaced p-coloring of tr(7r) 
that starts with p not holding true in the first position. Applying Item [1] of 
Lemma m shows that tr(7r)' satisfies c{^p). Fix some accepting run of 21 on 


tr(7r)' and consider an arbitrary block of tr(7r)': if the run does not visit an 
accepting state during the block, we remove infixes of the block and the run 
where the run reaches the same state before and after the infix and where the 
state of S at the beginning and the end of the infix are the same, until the block 
has length at most |2t| • |<S|. 

On the other hand, assume the run visits at least one accepting state during 
the block. Fix one such position. Then, we can remove infixes as above between 
the beginning of the block and the position before the accepting state is visited 
and between the position after the accepting state is reached and before the end 
of the block. What remains is a block of length at most 2 ■ |2l| • |5| + 1, at most 
|2t| ■ |5| many positions before the designated position, this position itself, and 
at most |2l| • |iS| many after the designated position. 

Thus, we have constructed a 2 • |2l| ■ |5| + 1-bounded coloring tr(7r)' of a 
trace tr(7f) for some path it of S, as well as an accepting run of 21 on tr(7r)'. 
Hence, tr(7r)' is a model of and applying Item [5] of Lemma 0] shows that 

tr(7r) is a model of with respect to the variable valuation mapping every 
variable to 2 • (2 • |2l| • |iS| + 1) = k*. Therefore, S does not satisfy (p with respect 
to a*. 


5 Assume-guarantee Model Checking 

After having solved the PLDL model checking problem, we turn our attention 
to the assume-guarantee model checking problem. An instance of this problem 
consists of a transition system S and two specifications, an assumption ipA and 
a guarantee ipc- Intuitively, whenever the assumption (pA is satisfied, then also 
the guarantee pc should be satisfied. 

More formally, given two transition systems S = {S, sq, E,i) and S' = 
{S',Sq,E',£') with £(so) = £'(so), we define their parallel composition 

5||5' = (5",s",£;",n 

where 

- S" = {(s, s') G ^ X I £(s) = £'(s')}, 

~ ^0 (®0)Sq)’ 

- ((s,s'), G E" if and only if (s,t) G E and (s',t') G E', and 

- £"(s,s')=£(s)=£'(s'). 

Note that parallel composition as defined here amounts to taking the intersection 
of the trace languages of S and S'. In particular, we have the following property. 

Remark 1. Let (vo,v'Q)(yi,v'i){v 2 ,v' 2 ) ■ • ■ be a path through a parallel composi¬ 
tion S II S'. Then, vqViV 2 • • • is a path through S that has the same trace as 
{yo,v'Q){yi,v'.i){v2,v'2) • • •. 

An assume-guarantee specification (pAyfc) consists of two PLDL formulas, 
an assumption ipA and a guarantee pc- We say that a finite transition system S 


satisfies the specification, denoted by (ipA)S{ipG)^ if for every countably infinit^l 
transition system S', if S || S' is a model of ipA with respect to some a, then 
iSIjiS' is also a model of (pc with respect to some (3 [20]. For LTL specifications, 
this boils down to model checking the implication (pA —>■ 'PGi but the problem is 
more complex in the presence of parameterized operators, as already noticed by 
Kupferman et al. in the case of PROMPT-LTL [Tij. This is due to the fact that 
the variable valuation /3 in the problem statement above may depend on S'. In 
the following, we extend Kupferman et al.’s algorithm for the PROMPT-LTL 
assume-guarantee model checking problem to the PLDL one. 

The main theorem of this section reads as follows. 

Theorem 5. The PLDL assume-guarantee model checking problem is PSpace- 
complete. 

To begin with, we show that we can refute such an assume-guarantee specifi¬ 
cation using a single trace per valuation /3, just like in the model checking prob¬ 
lem where we are looking for a single counterexample. However, as we consider 
the satisfaction of two formulas, we have to deal with two variable valuations. 

Lemma 8. Let S be a transition system and let (jpaiTg) be a pair of PLDL 
formulas. Then, {(pa)S{lpg) does not hold if and only if there is a variable val¬ 
uation a such that for every variable valuation (3 there is a path irg through S 
with (tr(7r^),a) ^ (pA, but (tr(7r/3),/3) ^ ipG- 

Proof. Let {ipa)S{(Pg) not hold, i.e., there is a transition system S' such that 
S II S' is a model of ipA with respect to some fixed a, but S || S' is not a model of 
PG with respect to any ft. Thus, for every f3, we find an initial path tt^ through 
iS||5' with {ti^Tr'p), f3) ^ pG. Furthermore, tr(7r^) satisfies pA with respect to a, 
as does every trace of iS||5'. To conclude this direction, we apply Remark [T] to 
show that there exists a path irp over S such that tr(7r^) = tr(7r^) is also a trace 
of 5. 

Now, assume there is a variable valuation a such that for every variable 
valuation /3 there is a path irp through S with (tr(7r^), a) \= pA, but (tr(7r^), /3) ^ 
PG. Let S' be a possibly infinite transition system whose traces are exactly the 
traces of the paths irg. By construction, the set of traces of <S || <S' is equal to the 
set of traces of S'. Furthermore, every trace of 5 || 5' satisfies pA with respect 
to a. However, for every f3 the trace tr(7r^) of S || S' does not satisfy pG with 
respect to j3. Hence, there is no (3 such that S || S' satisfies pG with respect to 
(3, i.e.. S' witnesses that {pa)S{pg) does not hold. 

The PROMPT-LTL assume-guarantee mo del-checking problem as introduced 
in |14j only considers the product of the given transition system S with finite 
transition systems S'. However, in this setting, one can easily construct coun¬ 
terexamples to the analogue of Lemma |5| Indeed the transition system S' we 
construct while proving the second implication above is necessarily infinite for 

® This is the only place where we allow infinite transition systems (see the discussion 
below the proof of Lemma [S]) . 



the counterexamples. If one allows infinite systems <S', then the analogue is still 
correct, using the same proof as above. The decidability of assume-guarantee 
model checking restricted to finite systems S' is an open problem. 

Next, we observe that we again can restrict ourselves to considering PLDLo 
formulas, both as the assumption and as the guarantee. This follows from Lemma[3] 
and the fact that the variable valuations are quantified existentially in the prob¬ 
lem statement. 

As we have to deal with two variable valuations, we have to extend the 
alternating-color technique to two colors, one color p for a and one color q for 
/3. We say that w' e is a coloring of w G (2^)“^, ii w'^ Cl P = Wn for 

every n. Furthermore, the notions of p-changepoints, p-blocks, and the analogues 
for q are defined as expected (cf. Subsection 12 .11) . Consequently, the notions 
of fc-boundedness and fc-spacedness have to explicitly refer to the color under 
consideration. Lemma 0] still holds for each color separately. 

The following proof extends the one for the model checking problem using 
colored Biichi graphs. To this end, we have to adapt the definition of such a 
graph to two colors. Formally, a colored Biichi graph of degree two is a tu¬ 
ple {V,E,vo,£,Fo,Pi) where {V,E) is a finite directed graph, ?;o S is the 
initial vertex, £: V ^ is a vertex labeling by p and q, and Fb,Fi CV are 

two sets of accepting vertices. 

A path V 0 V 1 V 2 ■ ■ ■ through G is pumpable, if every g-block contains a vertex 
repetition such that there is a p-changepoint in between these vertices. More 
formally, we require the following condition to be satisfied: if i and i' are two 
adjacent g-changepoints, then there exist with i < j < j' < j" < i' such 

that Vj = Vjii and £{vj) and £{vjr) differ in their p-label. Furthermore, the path 
is fair, if both Eq and Ei are visited infinitely often. 

The pumpable non-emptiness problem for G asks whether there exists a 
pumpable fair path that starts in the initial vertex. 

Theorem 6 ([14]). The pumpable non-emptiness problem for colored Biichi 
graphs of degree two is NLOGSPACE-compZete. 

Next, we show how to reduce the PLDL assume-guarantee model checking 
problem to the pumpable non-emptiness problem for colored Biichi graphs of 
degree two. Fix an instance {pa)S{(Pg) of the problem with S = {S, so,E, £) and 
two PLDLo formulas pA and (pc- 

Now, let 21 a = {Q, ,qo,6,E) be a Biichi automaton recognizing the 

models of Xoop A Xoo^p A rel(pA), and let 2tG = {Q' q'^, S' , E') be a 
Biichi automaton recognizing the models of Xooq A Xoo-.? A -irel(pG)- Note that 
we need to slightly adapt the construction of 21^, as we interpret the changepoint- 
bounded operators in ipc w.r.t. color changes of q, not p. Hence, instead of using 
the automaton 2lcp as depicted in Figure [TJc) with transition labels p and -ip, 
we use the one with labels q and -<q to construct 21^. 

Next, we define the colored Biichi graph of degree two 

21a X 21g X 5 = (Q X Q' X 5 X 2^P’‘^\e', (qq, q'o, so, 0), i', Fo, F,) 


where 


- ((91,92,5,^), {q[,q 2 ,s',C')) £ E' if and only if (s,s') € E, q[€ 5{qiJ{s) U 

C), and 92 S (5'(92, ^(s) U C), 

- ^'(91,92,5,1^) = C, 

-Fo=FxQ'xS'x 2{P’«>, and 

-Fi=QxF'xS'x 

Lemma 9 (cf. Lemma 6.2 of |14| L Let {(fA)S{(pG) and 2lyi x 21 g x S be 
defined as above. Then, {(pa)S{(Pg) does not hold if and only if^A x 21 g x S has 
a pumpable fair path. 

Proof. Recall that changepoint-bounded operators in ipA are evaluated with re¬ 
spect to the color p while the ones in ipc are evaluated with respect to q. 

Let {ipa)S{ipg) not hold. Then, due to Lemma |S1 there is a variable valua¬ 
tion a such that for every valuation /3 there is an initial path irp of S such that 
(tr(7r^),a) |= (pA, but (tr(7r^),/3) ^ ipG- 

Define ka = max 2 ,gvar((ft 4 ) aix), = 2-|(3|-|(5'|-|S'|-fca-l-l, and let /3* be such 
that I3*(x) = 2kp* for every x. Finally, let w* = tr( 7 r^.) be the corresponding 
trace as above. 

Then, (w*,a) \= pA and Item [T] of Lemma 0] imply that every fca-bounded 
(with respect to p) coloring w*' of w* satisfies Xoop A Xoo^p A rel((^^). Similarly, 
{w*,j3*) PG and Item[2]of Lemma|4]imply that every kp --spaced (with respect 
to q) coloring w*' of w* does not satisfy rel(i^G)- Hence, every such w*' satisfies 
Xocq Xoo->q A -.rel((^G)- 

Now, consider the unique coloring w*' of w* that is fca-bounded and ka- 
spaced with respect to p, fc,g»-bounded and fc/ 3 »-spaced with respect to q, and 
begins with p and q not holding true. We have w* ^ Xoop A Xoo-.p A re\{ipA) and 
w* H Xooq A Xoo^q A -irel(</5G)- Hence, there are accepting runs 9 o<?i 92 • • • of 21 a 
and 909^92 ■ • ■ of 21 g on w*'. 

Consider the path 

'*^ 0 , 1^0 ' n {p, 9 }) n {^,9}) iq 2 ,q 2 ,v 2 ,w 2 n {^,9}) • • • 

through 21 a x 21g x <S. Here, ic*' is the n-th letter of w*' and V 0 V 1 V 2 • • • is the 
path through S inducing the trace w*'. 

The path is fair, as the runs are both accepting. Furthermore, it is pumpable, 
as the p-blocks are of size ka, but the 9 -blocks are of length kp* = 2 • \Q\ ■ \Q'\ ■ 
l^l • fcc + 1 and there are only 2 • IQj ■ IQ'j • IS”! many vertices with (and without) 
color 9 . 

Now, we consider the converse: assume there is a pumpable fair path 

(<?o,<?o,'f^o,C'o) ( 9 i, 9 i,'i;i,C'i) ( 92 , 92 ,'*^ 2 , <^ 2 ) • • • 

in 21 a X 21g x S. W.l.o.g., we can assume the path to be ultimately peri¬ 
odic M- Hence, the maximal length of a p-block in this path, call it ka, is 
well-defined. Define a via a(x) = 2ka for every x, fix some arbitrary /3, and let 
kp = max,^gvar(v>G)/3(2^)- 

Every 9 -block of the pumpable path contains a vertex repetition with a p- 
changepoint in between. Pumping each of these repetitions kp times yields a 


new path through QIa x 21g x S and thereby also a path tt^ through S as well 
as accepting runs of QIa and on a coloring w' of tr( 7 r^). Hence, w' ^ Xoop A 
Xoo—ip A rel((/5A) and w' |= Xooq A A -'rel((/?G)- 

By construction, w' is fca-bounded and fc/ 3 -spaced. Thus, applying both di¬ 
rections of Lemma m yields (tr( 7 r^),a) |= ipA and (tr( 7 r^),/ 3 ) ^ pa- Hence, for 
every /3 we have constructed a path with the desired properties. Thus, due to 
Lemma m {(pa)S{(pg) does not hold. 

Now, we are able prove the main result of this section; PLDL assume-guar- 
antee model checking is as hard as LTL assume-guarantee model checking, i.e., 
PSPACE-complete. 

Proof (Proof of Theorem\^. Membership is obtained by solving the pumpable 
non-emptiness problem for the product 21 a x 21g x S, which can be done in poly¬ 
nomial space on-the-fly, as the product is of exponential size and the algorithm 
checking for pumpable non-emptiness runs in logarithmic space. 

For the lower bound we use a reduction from the LTL model checking prob¬ 
lem, which is PSPACE-complete: given a transition system S and an LTL for¬ 
mula (/?, we have 5 ^ if and only if (tt)iS((/ 3 ). 

The solution to the assume-guarantee model checking problem also solves 
the implication problem for PLDL: given two PLDL formulas p and '0, decide 
whether for every, possibly countably infinite, transition system S the following 
holds: if S satisfies (p with respect to some a, then S satisfies if with respect to 
some (3. 

Theorem 7. The PLDL implication problem is PSPACE-compfete. 

Proof. Hardness follows from hardness of the LTL satisfiability problem pS] . 

To prove membership, we reduce the problem to the assume-guarantee model 
checking problem: let W be a universal transition system in the sense that it 
contains every trace over the propositions that appear in p and if. It is straight¬ 
forward to show that the implication between p and if is satisfied, if and only 
if {p)U{'tf) is satisfied, as W || 5 has exactly the traces of S. The latter prob¬ 
lem can be solved in PSpace, although U is of exponential size, since it can be 
constructed on-the-fly. 

6 Realizability 

In this section, we consider the realizability problem for PLDL. Throughout the 
section, we fix a partition (J, O) of the set of atomic propositions P. An instance 
of the PLDL realizability problem is given by a PLDL formula p (over P) and 
the problem is to decide whether Player O has a winning strategy in the following 
game, played in rounds n S N: in each round n. Player I picks a subset in I 
and then Player O picks a subset o„ C O. Player O wins the play with respect 
to a variable valuation a, if ((io U oo)(fi U 0 i)(f 2 U 02 ) • ■ • ,a) \= p. 


Formally, a strategy for Player O is a mapping a: (2^)+ —>■ 2^ and a play p = 
ioOoJiOii 202 • • ■ is consistent with a, if we have o„ = a(io ■ ■ ■ in) for every n. We 
call (ioUoo)(iiUoi)(i 2 Uo 2 ) ■ • • the outcome of p, denoted by outcome(p). We say 
that a strategy a for Player O is winning with respect to a variable valuation a, 
if we have (outcome(p), a) |= ip for every play p that is consistent with <j. The 
PLDL realizability problem asks for a given PLDL formula ip, whether Player O 
has a winning strategy with respect to some variable valuation, i.e., whether 
there is a single a such that every outcome satisfies p with respect to a. If this 
is the case, then we say that a realizes p and thus that p is realizable (over 
{I.O))- 

It is well-known that w-regular specifications, and thus all LDLcp specifica¬ 
tions, are realizable by finite-state transducers (if they are realizable at all) [3]. 
A transducer T = {Q, S,r,qQ,6,T) consists of a finite set Q of states, an in¬ 
put alphabet S, an output alphabet F, an initial state qo, a transition func¬ 
tion (5: QxS —>■ Q, and an output function r: Q ^ F. The function fj -: S* —>■ F 
implemented by T is defined as fr{w) = t{6*{'w)), where S* is defined as usual: 
(5*(e) = go and S*{wv) = S{S*{w),v). To implement a strategy by a transducer, 
we use S = 2^ and F = 2^. Then, we say that the strategy a = fp is finite-state. 
The size of a is the number of states of T. The following proof is analogous to 
the one for PROMPT-LTL [M]. 

Theorem 8. The PLDL realizability problem is 2ExpTiME-compZete. 

When proving membership in 2 ExpTime, we restrict ourselves w.l.o.g. to 
PLDLo formulas, as this special case is sufficient as shown in Lemma [S] First, 
we use the alternating color technique to show that the PLDLo realizability prob¬ 
lem is reducible to the realizability problem for specifications in LDLcp. When 
considering the LDLcp realizability problem, we add the fresh proposition p used 
to specify the coloring to O, i.e.. Player O is in charge of determining the color 
of each position. 

Lemma 10 (cf. Lemma 3.1 of |14j L A PLDLc, formula p is realizable over 
(/, O) if and only if the LDLcp formula c(p) is realizable over (/, O U {p}). 

Proof. Let p be realizable, i.e., there is a winning strategy a: (2^)+ —)• 2^ with 
respect to some a. Now, consider the strategy a': (2^)+ ^ defined by 


CT (fo ' ‘ ' 'In—l) 


a(io ■ ■ ■ in-i) if n mod 2k < k, 

o'iio • ■ • in-i) U {p} otherwise. 


where k = max^-g^arolip) We show that o' realizes c{p). To this end, let p' = 
io 0 o*i 0 ii 202 • • • be a play that is consistent with a'. Then, p = io(oo \{p})*i(oi \ 
{p})^ 2 (o 2 \{p}) • • • is by construction consistent with a, i.e., (outcome(p), a) ^ p. 
As outcome(p') is a A:-spaced p-coloring of outcome(p), we deduce outcome(p') \= 
c{p) by applying Item [T] of Lemma 01 Hence, a' realizes c{p). 

Now, assume c{p) is realized by a ': (2^)+ ^ which we can assume to 

be finite-state, say it is implemented by T with n states. We first show that every 


outcome that is consistent with cr' is n + 1-bounded. Such an outcome satisfies 
c((/?) and has therefore infinitely many changepoints. Now, assume it has a block 
of length strictly greater than n + 1, e.g., between changepoints at positions i 
and j. Let qoqiq 2 • ■ • be the states reached during the run of T on the projection 
of p to 2^. Then, there are two positions i' and j' satisfying i < i' < j' < j in 
the block such that qi> = qji. Hence, (?o • • • qi'-i{qi' ■ • ■ qji-i)‘^ is also a run of T. 
However, the output generated by this run has only finitely many changepoints, 
since the output at the states q^,... ,qj'-i coincides when restricted to {p}. 
This contradicts the fact that T implements a winning strategy, which requires 
in particular that every output has infinitely many changepoints. Hence, p is 
(n + l)-bounded. 

Let cr: (2^)+ —>• 2*^ be defined as cr(io • • • in-i) = o-'(io • ■ • *n-i) n O. By 
definition, for every play p consistent with cr, there is an (n + l)-bounded p- 
coloring of outcome(p) that is the outcome of a play that is consistent with cr'. 
Hence, applying Item [2] of Lemma 0] yields (outcome(p),/3) |= p, where j5{x) = 
2n + 2 for every x. Hence, cr realizes p with respect to /3. Note that cr is also 
finite-state and of the same size as cr'. 

Now, we are able to prove the main result of this section. 

Proof (Proof of Theorem [3^. 2ExpTime- hardness of the PLDL realizability 
problem follows immediately from the 2ExpTiME-hardness of the LTL real¬ 
izability problem as LTL is a fragment of PLDL. 

Now, consider membership and recall that we have argued that it is suf¬ 
ficient to consider PLDLo formulas. Thus, let p be a PLDLo formula. By 
Lemma [ini we know that it is sufficient to consider the realizability of c(ip). 
Let 21 = {Q, 2^'^^^^P\qo, <5,12) be a deterministic parity automaton recognizing 
the models of c((p). We turn 21 into a parity game Q such that Player 1 wins G 
from some dedicated initial vertex if and only if c{ip) is realizable. To this end, 
we define the arena A = {V, Vo,Vi,E) with 

- V = QU{Qx2^), 

-Vo = Q, 

- Vi = Q X 2^, and 

- E = {{q, {q,i)) | i C /} U {((q, i), i U o)) | o C O U {p}}, i.e., Player 0 
picks a subset i C / and Player O picks a subset o C OU {p}, which in turn 
triggers the (deterministic) update of the state stored in the vertices. 

Finally, we define the coloring 17_4 of the arena via f^Aiq) = ^Aiqp) = ^{q)- 
It is straightforward to show that Player O has a winning strategy from go in 
the parity game (xl, I2yv) if and only if c(<p) (and thus p) is realizable. Further¬ 
more, if Player 1 has a winning strategy, then A can be turned into a transducer 
implementing a strategy that realizes c(p) using V as set of states. Note that 
\V\ is doubly-exponential in |p|, if we assume that / and O are restricted to 
propositions appearing in p. As the parity game is of doubly-exponential size 
and has exponentially many colors, we can solve it in doubly-exponential time 
in the size of p. 


Also, we obtain a doubly-exponential upper bound on a valuation that allows 
to realize a given formula. A matching lower bound already holds for PLTL m- 

Corollary 2. If a PLDL<y formula ip is realizable with respect to some a, then 
it is realizable with respect to an a that is bounded doubly-exponentially in \ip\. 

Proof. If if is realizable, then so is c(ip). Using the construction proving the right- 
to-left implication of Lemma [la we obtain that ip is realizable with respect to 
some a that is bounded by 2n -|- 2, where n is the size of a transducer imple¬ 
menting the strategy that realizes cipp). We have seen in the proof of Theorem [5] 
that the size of such a transducer is at most doubly-exponential in |c((/7)|, which 
is only linearly larger than \p\. The result follows. 


7 Optimal Variable Valuations for Model Checking and 
Realizability 

In this section, we turn the model checking and the realizability problem into 
optimization problems, e.g., the model checking optimization problem asks for 
the optimal variable valuation such that a given system satisfies the specification 
with respect to this valuation. Similarly, the realizability optimization problem 
asks for an optimal variable valuation such that p is realizable with respect to 
this valuation. Furthermore, we are interested in computing a winning strategy 
for Player O witnessing realizability with respect to an optimal valuation. The 
definition of optimality depends on the type of formula under consideration: 
for PLDLo formulas, we want to minimize the waiting times while for PLDLq 
formulas, we want to maximize satisfaction times. For formulas having both 
types of parameterized operators, the optimization problems are undefined. 

In Subsection 17.11 we show how to solve the model checking optimization 
problem in polynomial space. Then, in Subsection 1 7.2 1 we explain how to adapt 
the approach to solve the realizability optimization problem in triply-exponential 
time. Thus, the model checking optimization problem is in polynomial space, just 
as the decision problem, but there is an exponential gap between the realizability 
optimization problem and its decision variant. Note that this gap already exists 
for PLTL [21] ■ 

Both our results rely on the existence of automata of a certain size that 
recognize the models of a given PLDL formula with respect to a fixed variable 
valuation. On the one hand, it suffices to translate formulas with a single variable; 
on the other hand, due to some technicalities, we have to consider formulas that 
might additionally contain changepoint-bounded operators. The semantics of 
such formulas are defined as expected. 

Theorem 9. Let p be a PLDL formula with va.T{p) = {z} possibly having 
changepoint-bounded operators and let a be a variable valuation. Then, there 
exists a natural number n € (3 ■ (a(z) -j- I))‘^(l‘^l) and there exist 

1. a non-deterministic Biichi automaton of size n and 


2. a deterministic parity automaton of size (n!)^ with 2n many colors 

that recognize the language L{ip,a) = {w G (2^ )‘^ | {w,a) ^ ip}, which are both 
effectively constructible. 

The existence of such automata is proven in Subsection 17.31 by adapting the 
Breakpoint construction of Miyano and Hayashi m- 

7.1 The Model Checking Optimization Problem 

In this subsection, we prove that the model checking optimization problem can 
be solved in polynomial space. As already mentioned above, we only consider 
PLDLo and PLDLo formulas. For PLDLo formulas, optimal variable valua¬ 
tions are as small as possible. To abstract a variable valuation to a single value, 
we can either take the minimal element among the variables, i.e. the shortest 
waiting time, or the maximal element among the variables, i.e. the longest wait¬ 
ing time. Both options will provide a total ordering among variable valuations. 
For PLDLo formulas, optimal variable valuations are as large as possible. For 
abstraction purposes, we may again either take the maximal element, i.e. the 
longest guarantee, or the minimal element among the variable, i.e. the shortest 
guarantee. Again, this results in a total order. 

Theorem 10. Let (po be a PLDL<^ formula, let ifn be a PLDLu formula, and 
let S be a transition system. The following values are computable in polynomial 
space: 

1. min|,^|^ satisfies (^o w.r.t. a} ^^^a:evar((/?o) Cli(x). 

2. min|f ;^|,5 satisfies ipo w.r.t. a} ^^^a:evar((^o) ^(^)- 

3. maX |,^|,5 satisfies <pn w.r.t. a} evar((pn ) • 

f. satisfies <pn w.r.t. a} evar((^n ) • 

Note that all other combinations are trivial due to the monotonicity prop¬ 
erties of PLDL. Furthermore, we can restrict our attention to formulas with at 
least one variable, as the optimization problem is trivial otherwise. 

As a first step, we show that we can reduce all problems to ones with exactly 
one variable, but possibly with changepoint-bounded operators. 

1. Fix some x G var((/3o) and apply the rewriting introduced for the alternating- 
color technique to every variable but x to obtain the formula ipx) which 
has changepoint-bounded diamond-operators as well as diamond-operators 
parameterized by x. Applying both directions of Lemma 0] (which also holds 
if we do not replace all parameterized operators) yields 

min|Q,|^ satisfies w.r.t. a} niin 3 ,^.^g^p^(p^j Qi(x) 
niina;^var((^o) niin|fj |,5 satisfies ipx w.r.t. a} Ct(ir). 

Thus, we have reduced the problem to |var((/?o)| many optimization problems 
for formulas (px with a single variable. 


2. Rename every variable in tpo to z and call the resulting formula Due 
to monotonicity, minimizing the maximal parameter value for yields the 
same value as minimizing the value of z for ip'^. 

3. Fix some y € var((pn) and denote by py the formula obtained from pu by 
replacing every subformula [?']<j,/ "0 with y' ^ y hy [f] ip, where f is defined 
as in the proof of Lemma |31 Intuitively, this sets the value for every y' ^ y 
to zero. Due to monotonicity, we have 

maX|Q,|^ satisfies ^pu w.r.t. a} aiaXy 
^^^yP^vai:{ipn) ^aX|,^|5 satisfies ipy w.r.t. a} a(y), 

i.e., we have reduced the problem to |var((/?o)| many optimization problems 
for formulas ipy with a single variable. 

4. Rename every variable in pn to z and call the resulting formula (/?□. Due 
to monotonicity, maximizing the minimal parameter value for pa yields the 
same value as maximizing the value of z for <p'u. 

First, we consider the minimization problem for a formula (po with a single 
variable x G varo(po) and possibly with changepoint-bounded operators. From 
Corollary[I] which can easily be shown to hold for such formulas, too, we obtain 
an upper bound (that is exponential in |(/jo| and linear in |iS|) on the value 

min^^l^^ satisfies (po w.r.t. a} ix(x). 

Dually, for a formula pa with a single variable y € vara (i^a) and possibly with 
changepoint-bounded operators. Lemma [7l which holds for such formulas, too, 
yields a bound fcmax (that is exponential in |(/?a| and linear in |iS|) such that 
either 

ma,X{Q,|j5 satisfies (pn w.r.t. a} a(y) < k 

max 

or the maximum is equal to oo. Thus, in both cases, we have an exponential 
search space for the optimal value. 

Therefore, binary search yields the optimal value, if we can solve each query 
“does S satisfy p with respect to a” in polynomial space, provided a is expo¬ 
nential in \p\ and linear in jiSj. To this end, we use the non-deterministic Biichi 
automaton 21 recognizing L{—<p, a) as given by Item [1] of Theorem 1^1 whose 
size is exponential in \p\ and linear in |iS|. Model checking S against 21 answers 
the query and is possible in polynomial space by executing the emptiness test 
on-the-fly without constructing 21 completely |29) . 

7.2 The Realizability Optimization Problem 

In this subsection, we show how to adapt the reasoning of the model checking 
case to give an algorithm for the realizability optimization problem with triply- 
exponential running time. 


Theorem 11. Let ipc> he a PLDL^ formula and let (pa be a PLDLa formula. 
The following values (and winning strategies witnessing them) can be computed 
in triply-exponential time: 

1. realizable w.r.t. a} ^^^a:Gvar((po) ^(^)' 

2. realizable w.r.t. a} ^^^a:Gvar((po) Cli(x). 

3. realizable w.r.t. a} ) o^iy)- 

realizable w.r.t. a} ■ 

The reductions to optimization problems for formulas with a single variable 
remain valid in the realizability case. However, instead of proving bounds on 
the search space for both the PLDLo case and the PLDLq case, we rely on 
Corollary [21 which proves an upper bound for the former case, and on duality: 
given a PLDL formula ip over P = I U O and its negation -<p as defined in 
Lemma [T1 define Tp to be the formula obtained from —ip by replacing each atomic 
proposition p G / by (tt)p and each negated proposition -ip with p G / by 
(tt) -ip. Here, (tt) can be understood as the PLDL-equivalent of LTL’s next- 
operator. The realizability problems for p and p are dual, i.e., we have swapped 
the roles of the players and negated the specification (and used the next-operator 
to account for the fact that Player I is always the first to move). The following 
lemma formalizes this fact and relies on determinacy of parity games [an] , to 
which the realizability problem is reduced to, as shown in Section |a 

Lemma 11. Let p be a PLDL formula and let a he a variable valuation. Then, 
p is not realizable over (J, O) with respect to a if and only ifp is realizable over 
(0,1) with respect to a. 

Thus, applying Lemma [TT] and monotonicity in the case of a PLDLo for¬ 
mula Pa with a single variable y yields 

maX{Q,|,^n realizable w.r.t. a} ^(v) min{Q,|^^ realizable w.r.t. a} ^(u) f ? 

i.e., to solve the PLDLq optimization problem for pa we just have to solve the 
problem for pH and subtract one. 

Thus, it remains to consider a minimization problem for a formula po with 
a single variable x G varo(po) and possibly with changepoint-bounded opera¬ 
tors. From Corollary [2] which holds for such formulas, too, we obtain a doubly- 
exponential (in |po|) upper bound on min{rj|<po realizable w.r.t. a} a(x). 

Thus, we have a doubly-exponential search space for the optimal variable 
valuation. Recall that Item [2] of Theorem [5] gives us a deterministic parity au¬ 
tomaton of triply-exponential size and with exponentially many colors (both in 
I Pol) recognizing L(po, ct), as a{x) is bounded doubly-exponentially. This allows 
us to construct a parity game of triply-exponential size with exponentially many 
colors that is won by Player O if and only if po is realizable with respect to a. 
The construction is similar to the one described in the proof of Theorem[5] Such a 
parity game can be solved in triply-exponential time. Thus, to solve the optimiza¬ 
tion problem, we perform binary search through the doubly-exponential search 



space where each query can be answered in triply-exponential time by solving a 
parity game. Thus, the overall running time is indeed triply-exponential. 

Furthermore, as already described in the aforementioned proof, a winning 
strategy for the parity game can be turned into a transducer witnessing realiz¬ 
ability of (/3o- Finally, it is straightforward to show how to turn this transducer 
into one for the original specifications with potentially several variables. This is 
trivial for the cases not requiring an application of the alternating-color tech¬ 
nique and requires the transformation described in the proof of Lemma [TO] for 
the other cases. This finishes the proof of Theorem (TT] save for the construction 
of a deterministic parity automaton with the desired properties. 

7.3 Small Automata for PLDL 

Fix a formula ip with a single variable z G var(y)) possibly having changepoint- 
bounded operators and a variable valuation a. We show how to adapt the Break¬ 
point construction of Miyano and Hayashi m to construct a non-deterministic 
Biichi automaton of size (3 • {a{z) -I- to prove Item |T] of Theorem [SI 

The deterministic automaton for Item [5] of Theorem [5] can then be obtained by 
applying Schewe’s determinization construction [28) . which determinizes a Biichi 
automaton with n states into a parity automaton with (n!)^ states and 2n colors. 

Recall that ip has a single variable. In the following, we assume that it pa¬ 
rameterizes diamond-operators, the case of box-operators is dual and discussed 
below. Thus, call the variable x and let ipi ,..., il’k G cl(i^) be the 

parameterized subformulas of if. Furthermore, let ip' be the LDLcp formula ob¬ 
tained by removing the parameters, i.e., by replacing each by 

and let 21,^' = {Q,2^ ,qo,6,F) be the equivalent alternating Biichi automaton 
given by Theorem |5J For j G fc}, we denote the set of states of the 

automaton 21^^. checking for a match with Xj by QG , which is a subset of Q. 
Furthermore, we assume the Q'’i> to be pairwise disjoint. 

Lemma 12. Let ip and 21,^/ as above and let w € (2^ Then, {w,a) \= (p if 
and only has an accepting run p that satisfies the bounded-match property.' 

every path {qn, n) ■ ■ ■ {qn+i, n + £) in p with qn,, qn+i G satisfies £ < a{x) 
for every j G {1,..., fc}. 

To prove this lemma, we first need to strengthen Lemma [5] to be able to 
deal with parameterized formulas in the tests. Fix a regular expression r with 
tests 01 ?, ... ,0k'?, which might contain parameterized operators and let 21^ the e- 
NFA with markings obtained from the construction described above Lemma |SJ 
Note that the markings are the formulas Oil,... ,0k'? . Furthermore, let w = 

W 0 W 1 W 2 • • • G (2^ )‘^, and let wq ■ ■ ■ Wn-i be a (possibly empty, if n = 0) prefix 
of w. The following two statements are equivalent for every a: 

1. 2lr has an accepting run on uiq • • ■ Wn-i with e-paths tt^ such that {wiWi+iWi +2 ■ ■ ■ ,ot) \= 

/\m('Ki) for every i in the range 0 < i < n . 

2. (0, n) G TZ{r, w, a). 


Proof (Proof of Lemma [Wi) . The following proof is a strengthening of the proof 
of Theorem [21 Again, we proceed by induction over the structure of (/?. 

First, we consider the direction from logic to automata. The induction starts 
for atomic formulas and the induction steps for disjunction and conjunction are 
straightforward. Hence, it remains to consider the temporal operators. 

Consider (r) if. If (ic, a) ^ (r) if, then there exists a position n such that 
{wnWn+iWn +2 ''' , O') \= if and (0, n) e TZ{r,w,a). Hence, due to the strength¬ 
ening of Lemma O there is an accepting run of 21^ on wq ■ • • Wn-i such that the 
tests visited during the run are satisfied with respect to a by the appropriate 
suffixes of w. Thus, applying the induction hypothesis yields accepting runs of 
the appropriate test automata 2 lg' on these suffixes which satisfy the bounded- 
match property. Also, there is an accepting run of 21 . 0 ' on WnWn+iWn +2 ■ ■ ■ which 
satisfies the bounded-match property, again by induction hypothesis. These runs 
can be “glued” together to build an accepting run of 2 l((r) 0 )' on w satisfying the 
bounded-match property. 

Now, consider {Tj)^,^ifj. If {w,a) |= V'ji then there is a position n < 

a{x) such that {wnWn+iWn +2 ■■■ ,o) \=ifj and (0,n) G TZ{r,w,a). Recall that 
we removed the parameter to obtain ip'. Thus, we can argue as in the previous 
case and obtain runs of 21^,-, of the appropriate test automata , and of 210 /, all 
satisfying the induction hypothesis. In particular, the run of 21^^ has length n < 
a{x) and therefore satisfies the bounded-match property. Thus, the glued run of 
2 l((rj)<^ 0 j)' = satisfies the bounded-match property as well. 

The case for [r\if is dual to the one for (r) if, while the cases for the change- 
point-bounded operators (r)^pif and [rj^-pif are analogous, using the fact that 
2lcp accepts words which have at most one changepoint. 

Now, we consider the other direction, where the induction starts for atomic 
formulas and the induction steps for disjunction and conjunction are again 
straightforward. 

We continue with formulas of the form (r) if. Let p be an accepting run of 
2 l((r) 0 )' on w. Let n > 0 be the last level of p that contains a state from Q”. 
Such a level has to exist since states in Q” are not accepting and they have 
no incoming edges from states of the automata 210 / and 21 ^' (the 0 ' are the 
tests in r), but the initial state of 2 l(^r.) 0 )' is in Q”. Furthermore, is 

non-deterministic when restricted to states in Q” \ C”. Hence, we can extract 
an accepting run of 21 ^ from p on wq ■ ■ ■ Wn-i that additionally satisfies the 
requirements formulated in the strengthening of Lemma 0 due to the transitions 
into the test automata and an application of the induction hypothesis. Hence, we 
have (0,n) G TZ{r,w,a). Also, from the remainder of p (levels greater or equal 
to n) we can extract an accepting run of 210 / on WnWn+iWn +2 ■ • • satisfying 
the bounded-match property. Hence, {wnW„+iWn +2 ■ ■ ■ ,o) \= if hy induction 
hypothesis. So, we conclude (w, a) ^ (r) if. 

In the case of ifj, the reasoning is similar: we have removed the param¬ 

eter to obtain (p'. Thus, we end up in an analogous situation as in the previous 
case, but the level n satisfies n < a(x) due to the bounded-match property. This 
implies {w,a) \= {rj).^„^ifj. 


Again, the case for [r] ip is dual to the one for (r) ip and the cases for the 
changepoint-bounded operators (r)^,^ ip and ip rely on the fact that 2 lcp only 
accepts words which have at most one changepoint. 

Next, we show that words having runs as described in Lemma [12] can be 
recognized by a non-deterministic Biichi automaton: the following lemma con¬ 
cludes the proof of Item [I] of Theorem O To this end, we extend the classical 
Breakpoint construction |16] by counters that check the bounded-match prop¬ 
erty: the original construction yields an automaton that guesses an accepting 
run of a given alternating Biichi automaton level by level, which are represented 
as the set of states they contain. We employ the counters 7 to keep track of the 
length of paths in in the guessed run. If the bound a{x) is exceeded, then 
the guessed run is discarded. 

Lemma 13. There exists a non-deterministic Biichi automaton of size (3-(Q;(a;)-|- 
accepts w € (2^ )“ if and only if has an accepting run on w 
satisfying the bounded-match property. 

Proof. Let 21,^' = {Q,2^ ,qo,S,F) be as above and recall that C Q for 
j S { 1 ,..., fc} is the set of states which has to be left after at most a{x) steps in 
order to satisfy the bounded-match property. Define the Biichi automaton 21' = 
,qoJ',F') with 

- Q' = {(T, 0, 7 ) I Q D T A O and 7 e {0,1,..., a{x)}^^^U }, 

- <7o = ({ 90 }, 0 , 7 ), where j{qo) = a(x) if go S ULi 

- F' = {(T, 0 , 7 ) I (T, 0 , 7 )eQ'}, and 

- (5'((T, 0, 7 ), A) is equal to 

{(T', T' \ F, upd( 7 , G)) I exists graph G = (T U T', E) with ECT xT' 
s.t. SuccG(g) 1= b{q,A) for every q € T} HQ' 


if O = 0 , and equal to 

{(T', O' \ F, upd( 7 , G)) I O' C T' and there 

exists graph G = (T U T', E) with E C T x T' 
s.t. SuccG(g) 1= S{q,A) for every q GT, and 
SuccGr(ouO')(9) h Hq, for every g € O} n Q' 

if O 7 ^ 0. Here, SuccG(g) denotes the set of successors of g in G, G [ (O U O') is 
the restriction of G to O U O', and upd( 7 , G) is defined via 

upd( 7 , G)(g') = min{a(a;), 7 (g) — 1 | (g, g') G E and g, q G for some j}. 

Note that we might have upd( 7 , G)(g') < 0, which implies that upd( 7 , G) is not 
the third component of a state of 21' and explains the intersection with Q' in the 
definition of 5'. Thus, the counter 7 prevents the simulation of runs of 21,^' that 
violate the bounded-match property by blocking transitions. 


Intuitively, the graphs used to define the transition relation 5' are building 
blocks for runs of 21 ,^/ that contain two levels of a run as well as the edges 
between them that witness the satisfaction of the transition relation 5. As already 
explained, the counter 7 ensures that every path through some is of length 
a{x) or less. 

In the first two components of 21', we implement the Breakpoint construc¬ 
tion while we use the third component to implement a counter that checks the 
bounded-match property. The correctness of this construction follows directly 
from the correctness of the Breakpoint construction m- 

In case ip has parameterized box-operators, e.g., with variable y, Lemma [T^ 
reads as follows: 

(w,a) 1 = if and only if 21 ,^' has an accepting run p where every path of 
the form {qn,n) ■ • ■ {qn+ei n+£) in p with qn,, qn+i G for some j G 
{I,..., fc} satisfying i > a(x) may end in a terminal vertex (qn+i, n-\-t). 

As before, adapting the Breakpoint construction by adding a counter map¬ 
ping states in T n Uj=i ^o {0, 1 ,..., a{x)} yields a non-deterministic Biichi 
automaton that accepts exactly those words having a run that satisfies the 
bounded-match property for formulas with parameterized box-operators. 


8 Conclusion 

We introduced Parametric Linear Dynamic Logic, which extends Linear Dy¬ 
namic Logic by temporal operators equipped with parameters that bound their 
scope, similarly to Parametric Linear Temporal Logic, which extends Linear 
Temporal Logic by parameterized temporal operators. Here, the model check¬ 
ing problem asks for a valuation of the parameters such that the formula is 
satisfied with respect to this valuation on every path of the transition system. 
Realizability is defined in the same spirit. 

We showed PLDL model checking and PLDL assume-guarantee model check¬ 
ing to be PSPACE-complete and PLDL realizability to be 2ExpTiME-complete, 
just as for LTL. Thus, in a sense, PLDL is not harder than LTL. Finally, we 
were able to give tight exponential respectively doubly-exponential bounds on 
the optimal valuations for model checking and realizability. 

With respect to the computation of optimal valuations, we have shown this 
to be possible in polynomial space for model checking and in triply-exponential 
time for realizability, which is similar to the situation for PLTL w- Note that 
it is an open question whether optimal valuations for PLTL realizability can be 
determined in doubly-exponential time. Recently, a step towards this goal was 
made by giving an ^-approximation algorithm with doubly-exponential running 
time [^ . 
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